Joomla! Web Security
上QQ阅读APP看书,第一时间看更新

Downloading Joomla!

In this section, we will discuss a few relevant points necessary to security. However, detailed instructions for installing either of the two versions can be found in the following Packt Publication books:

Joomla! 1.0.x series—http://www.packtpub.com/joomla-v1/book

Joomla! 1.5 series—http://www.packtpub.com/joomla-version-1-5/book

If you are not familiar with installation, I highly recommend you to read one or more of these in detail before installing Joomla!

Now that you have chosen a host, and have your site prepared, its time to download Joomla! But wait? Which one do I choose? Surely, you chose this already in Step 11 from Joomla! 1.0.15, or the new and completely redesigned Joomla! 1.5.X. It is important to understand a few differences about each of these versions before you make an initial decision. Just as your choice of a version is important, so is it important to ensure that you download it from a reputable source, preferably Joomla.org. There are other sources from where you can download it preconfigured, and with add-ons. There's nothing wrong with that, but check it thoroughly. The point to remember here is that you must be very sure that it's a trusted source and that it hasn't been tampered with. Later, we'll learn about some tools developed by the community that will help you keep track of the health of your site. When you download your copy of Joomla!, it should be provided to you in a ZIP format. That zip file itself has an MD5 hash, which is a 'digital signature' ensuring that nothing has been changed. Note: At the time of writing this book, the MD5 Hash for Joomla! 1.0.15 was not available from Joomla.org.

If your hash is different, then the package contents have been tampered with. This could indicate something as simple as a bad download, or it could be tampering. I would suggest you not to use this package, rather delete it and re-download. In any event, the MD5 Hash is a good protection mechanism to ensure the "Authenticity" of the compressed file.

Note

Where did you download it from?

Always take the extra caution of downloading your source directly from Joomla! to ensure that you are always getting the correct package. This is not to say that other reputable sites aren't offering it, but it's an easy step to ensure security.

One of the key security differences between 1.0.12 and 1.0.13 is the way a password is stored. In fact, it's so different that if you upgrade to 1.0.13 from 1.0.1x, you cannot go back in the event of a problem. At the time of writing the book, this is presenting a problem for some extensions. It is highly recommended that you check on the Joomla.org site for changes that will have come before this book reached publication.

Another important difference in 1.0.13 is that the Register Globals emulation setting has been moved to the main configuration file and can be adjusted in the backend administrator interface, as opposed changing it in globals.php in 1.0.12 and lower.

Joomla! 1.5 is a newly redesigned version that streamlines quite a few of the traditional methods. These include features such as the installer being universal, not broken out separately, a new FTP layer, new API for third-party extensions, easier development, and promises of robust performance. However it is a different Joomla! and the reader should familiarize themselves with it in detail before determining which path to take.

The following are some settings you will need to make before you launch your Joomla! site. Doing so will prevent some nasty surprises later.

Settings

The file known as php.ini is a PHP configuration file used to control some of the settings of the PHP interpreter. A php.ini file enables you to customize such settings as whether the global variables are turned on, the default directory to upload files to when writing upload scripts, and the maximum allowed size for uploaded files. There are many other settings we'll cover in later chapters. For this portion, we're going to cover the necessary parts to set up a secure environment for your system. They will help you in making your system more secure. But again, as was pointed out in the introduction, there is no such thing as a completely secure system. One additional thought is that these settings may need to reside in more than one place, depending on the way your host has its servers configured. As such, you are encouraged to read the Joomla! forums regarding php.ini to see if someone has already solved this problem with your host or not. Many times, they have. What we will cover here are the basic php.ini settings that are needed for Joomla! 1.0.xx series. We'll cover the Joomla! 1.5 settings following this.

For each setting, we name its default value and a short blurb on why we must select it. In a later chapter, we'll cover php.ini in greater detail.

Following this will be the settings for other files such as .htaccess and global.php.

In the PHP version 4.2.0, the support for one important variable was changed. We won't go into the details as to the battle that must have ensued to change this, but you can read about it at http://www.php.net; look up Register Globals. It is noteworthy to point out that in PHP 6 this is completely gone.

Settings:

  • register_globals = off (you may also see it as = 0)

    If this is left on, someone attempting to break your site could use it to inject your scripts with all sorts of variables. This is a typical problem with some extensions and has been the death of many a good site. The attacker could use this to insert request variables from HTML forms as a means to break the site open. In the past, it was assumed that PHP simply worked this way, and so many extensions and applications were written that required it to be on. There are only two things you should do in that case, fix the extension by coding in the proper support to sanitize and check, or dump it and get a different extension. Note that in Joomla! 1.0.13, this is now included in the control panel.

  • magic_quotes_gpc (by default it is on)

    First and foremost, this is on by default and should remain on. This "escapes" all variables that are sent to the database. The crackers will use scripts loaded with all kinds of goodies, meant to pass through to the database or other parts of the system. By escaping them, it actually neutralizes their power to harm you. DO NOT TURN THIS OFF.

    In segments of the PHP community, there is a great deal of preference for leaving this off and ensuring that you write cleaner code, putting in proper escape characters, and so forth. That topic is beyond the scope of what we're discussing, and unless you write all your own code, leave it on. You don't know unless you verify it what someone else's code is doing.

  • allow_url_fopen = off

    This function treats remote files as if they were local files on the server. The preferred setting is default. This is a PHP command that says if the filename takes the form of http://..., or ftp://... it is assumed to be a URL. The PHP engine takes off in search of a correct wrapper or handler to deal with it. As you can see, this is a neat way to mess with the system. If it cannot find the right protocol, in this example FTP or HTTP, then it issues some warnings and treats as if it is a local file.

    This may not always work and you may have to trade off running it "ON" if you have certain extensions that are required to have it "ON". As always, your mileage may vary.

  • expose_php = off (default value = on)

    One of the first steps an 'attacker' takes is to learn as much as possible about your site and you. Therefore, while we don't advocate security by obscurity as a matter of course, due to it being generally a weak plan, a little misdirection can be a good thing. This setting when set to off can reduce the amount of information an attacker could glean.

  • safe_mode = off (default)

    This one can be tricky, but it is recommended by Joomla! to leave it in its default state of off. Turning it on will disable quite a few features, including, but not limited to: parses_ini_file(), chmod(), chown(),exec(),system() and more.

    However, being in a shared world, you may run into situations where it needs to be changed to on. If it is turned on, there are several options that go along with it. And there are several things that may not work with Joomla!—so use it with caution.

There are several other optional settings in php.ini that change how the system functions, but these are the key ones.

Next you will need to make changes to your globals.php file if you haven't made them already. Note that this applies to Joomla! 1.0.12 and older. For Joomla! 1.0.13, change this in the configuration panel.

Make the following change to the highlighted line—Please change the 1 to a 0

/**
* Use 1 to emulate register_globals = on
*
* Use 0 to emulate regsiter_globals = off [sic]
*/
define( 'RG_EMULATION', 1 );
/**
* Adds an array to the GLOBALS array and checks that the GLOBALS variable is
* not being attacked
* @param array
* @param boolean True if the array is to be added to the GLOBALS
*/

In Joomla! 1.0.13, in the administrative console select GLOBAL CONFIGURATION | SERVER. You will see this box:

Settings

If you are using Joomla! 1.5.3, add the value to your php.ini file of:

register_globals = off

Be sure to add a php.ini file to your administrator folder as well as in your Joomla! 1.5 configuration.

Note

Please note that some hosting configurations have an hourly update whereby they clear the cache on the server of the former .htaccess and php.ini files. If you don't see an immediate change to your system after you add your .htaccess or your php.ini files, wait for an hour and come back.

This is not too uncommon, but it does vary by host. You can inquire about it with the technical support staff or check the frequently asked questions section to see if this is the case.

How critical is Register Globals ?—Very!

The setting may be "1" out of the box. If so, make sure you change this to zero. This will ensure that Register Globals is turned off. This is very critical to the operation of your site. By ignoring this, you are leaving your system open to all kinds of shenanigans by the bad guys.